Almost all businesses are affected by the EU General Data Protection Regulation (GDPR), from sole traders to multinationals. But even though the GDPR intends to unify data protection rules across the EU, not all businesses will face the same problems. We’ve covered many of these problems, but this blog focuses on what sole traders need to do before the Regulation takes effect on 25 May 2018.
Appoint a data protection officer
A data protection officer (DPO) has many responsibilities, such as monitoring compliance with the GDPR and other data protection laws, and acting as the point of contact for supervisory authorities and individuals whose data is processed.
Most sole traders may not be explicitly required to appoint a DPO – the requirement only applies to public authorities, those that carry out large-scale systematic monitoring of individuals and those that carry out large-scale processing of special categories of data or data related to criminal offenses. However, the Regulation implies that most companies that handle personal data should designate someone to oversee GDPR compliance, even if they aren’t technically a DPO. The Regulation also allows a group of companies to appoint a collective DPO.
Prepare for data breaches
All companies are vulnerable to data breaches, whether due to negligence, malicious action or a combination of the two. Small businesses might mistakenly believe that they’re below hackers’ radars or don’t have anything worth taking, but cyber criminals often target exploitable weaknesses rather than specific companies.
It’s important to know what to do should you be breached. The GDPR states that any breach that results in a risk to the rights and freedoms of individuals needs to be reported to the relevant supervisory authority within 72 hours of its discovery.
This will be tough for sole traders to comply with, as it takes time to prepare the requisite information. The breach notification needs to provide:
- The nature of the breach, including – where possible – the categories and approximate number of individuals and personal data records concerned.
- The name and contact details of the DPO or relevant person.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to be taken to respond to the breach.
It will be much easier to meet the 72-hour notification deadline if you have a plan to carry out these requirements.
Get appropriate consent
The GDPR adjusts the requirements for consent, with perhaps the biggest change being that consent needs to be obtained via “clear affirmative action”, which nullifies opt-out options such as pre-ticked boxes.
The consent request must cover the specific processing details, the type of information requested, the purposes of the processing and any special aspects that may affect the individual, such as disclosures.
There are many nuances to getting consent under the GDPR, and it’s not always the most appropriate legal ground for obtaining personal data. As such, we recommend reading our dedicated blogs on the topic.
How to achieve compliance
The good news is that many of the GDPR’s principles are similar to current data protection laws, which means that if you’re currently compliant, most of your processes will remain valid. However, there are some important changes, so you need to put in place a plan to achieve compliance.
There’s now less than a year until the Regulation takes effect. That means you have enough time to prepare for the change, but you need to act soon as compliance is not something you want to leave until the last minute.
A good place to start is our handbook EU GDPR – A Pocket Guide. Written by IT Governance’s founder and executive chairman, Alan Calder, this guide is the ideal resource for anyone looking for a primer on the principles of data protection and their obligations under the GDPR. It describes the terms and definitions used in the GDPR in simple terms, outlines the key requirements of the GDPR and provides advice on complying with the Regulation.